Hi,
a few days ago I had to deal with the following situation:
Mail RELAY:
kernel 2.6.14.4-vs2.1.0 (vs for vserver patch)
iptables v1.2.11
5mbit dedicated link
under my control
Mail STORE:
openbsd firewall (unknown version)
freebsd mail store (unknown version)
3mbit dedicated link
out of my control
RELAY forwards mail to STORE, which is on a totally different network.
All traffic was flowing fine, except for large emails (>100kb was
enough) which would timeout many times while sending the message body,
specially when delivering more than one large mail at a time.
After some investigation, I found that lots of invalid out of window
packets were received by the RELAY when the timeouts occurred, using
"echo 255 > ip_conntrack_log_invalid" for troubleshooting. Apparently,
the solution was to "echo 1 > ip_conntrack_tcp_be_liberal" so that only
RST packets would be considered invalid. I tried that, and it worked.
My question is this: where exactly is the problem?
- A know netfilter problem, for that kernel version?
- A problem with the bsd stack/ipfilter?
- Something else?
Even after all the googling, I'm confused about this.
Thanks for any help.
Pedro Abreu
smime.p7s
Description: S/MIME cryptographic signature
|